Wireless network (WEP security)
James Knott
james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Wed Oct 1 10:31:47 UTC 2003
Tim Writer wrote:
> Emir <emir-rdkfGonbjUTTQjIoRn/dzw at public.gmane.org> writes:
>>As people already pointed out, there's a slew of "solutions"; I prefer to call
>>them "workarounds". As someone who's had a wireless network for a very long
>>time now (I was one of the co-founders of the now-defunct Toronto Wireless
>>Community Network), I can offer you the following advice: treat your wireless
>>network as the most hostile section of the Internet.
>>
>>Don't rely on WEP by any means, in fact I'd suggest you turn it off because it
>>does nothing 'cept reducing throughput and causing silly disconnects. Your
>>real protection comes higher up on the TCP stack, as VPN, SSL, or SSH tunnel.
>
>
> I couldn't agree more. A few people have mentioned FreeS/WAN which is a
> great solution but can be daunting to setup. A very nice alternative is:
>
> http://openvpn.sourceforge.net/
>
> which runs on Linux and Windows. On my home network, I have a LEAF firewall
> with a wireless card. All traffic from the WLAN is denied except OpenVPN to
> my desktop. When I bring the WLAN interface of my notebook up, I also bring
> up OpenVPN. And the OpenVPN startup script makes OpenVPN the default route.
> With this approach, anyone can join my WLAN without too much difficulty but
> they can't go anywhere unless they have an OpenVPN connection.
I have something similar, except I'm using CIPE for my VPN.
>
>
>>The moment you introduce wireless access on your network, all your computers
>>are exposed, which means don't rely on your Internet firewall, every machine
>>needs to firewall itself (you can still keep your Internet firewall as an
>>outer perimeter, but don't fall into false sense of security).
>
>
> Another good point. Many (most?) of the SOHO wireless access points on the
> market claim to be firewalls too. In practice, they firewall only the
> Internet connection, giving wireless devices full access to your LAN. Don't
> be misled by features such as a MAC filter which deny Internet access to
> devices with an unknown MAC address but still give them full access to the
> LAN.
>
It would be nice if those boxes could be "reversed". where the wireless
side is hostile and the wan side friendly.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list